Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
en:certificates [2019/07/24 12:53] – [Information for Service Providers] Wolfgang Pempe | en:certificates [2021/01/27 10:09] – Wolfgang Pempe | ||
---|---|---|---|
Line 10: | Line 10: | ||
==== Information for Service Providers ==== | ==== Information for Service Providers ==== | ||
- | All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, | + | All certificates and the respective private keys used for SAML-based communication have to be added to your SP's configuration, |
=== DFN-PKI Certificates === | === DFN-PKI Certificates === | ||
Line 17: | Line 17: | ||
=== Common Trusted CA Certificates === | === Common Trusted CA Certificates === | ||
- | You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). They must not exceed a validity of 39 months. If you get an " | + | You can use certificates issued by common Certification Authorities (CAs) that are preinstalled in the most common web browsers (Google Chrome, Firefox, Microsoft Edge). If you get an " |
=== Self-signed Certificates === | === Self-signed Certificates === | ||
Line 27: | Line 27: | ||
$ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem | $ openssl x509 -noout -fingerprint -sha256 -in self-signed-server-cert.pem | ||
</ | </ | ||
- | * As a third option, you can send us the certificate in an S/ | + | * As a third option, you can send us the certificate in an S/ |
<callout type=" | <callout type=" | ||
Line 39: | Line 39: | ||
== Letsencrypt == | == Letsencrypt == | ||
We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, | We strongly advise against the use of Letsencrypt certificates for SAML-based communication as they expire after 90 days. Every time, you would have to do a manual certificate rollover in the metadata administration tool. The SP configuration has to be adapted twice for a rollover, too. That is why we recommend self-signed certificates with a validity of 3 years. (If you are securing your webserver with Letsencrypt certificates, | ||
- | |||
- | === Certificate rollover === | ||
- | Whenever you switch to a new certificate, | ||
**Next step:** [[en: | **Next step:** [[en: | ||
+ | |||
+ | ==== Certificate / Key Rollover (SP) ==== | ||
+ | |||
+ | Whenever you switch to a new certificate, | ||
===== The SSL certificate chain on your webserver ===== | ===== The SSL certificate chain on your webserver ===== |